After a prolonged AWS outage, which was followed by aftershocks over the next days, a CNBC storyThis summarized one of the most important conversations that the event sparked: Can large businesses rely on one vendor or should they spread their workloads in the event of another similar incident?
Our answer is that organisations are. AlreadyThey can spread their workloads across multiple environments. The question that is most pressing is: How can enterprises best secure multi-cloud or hybrid environments as they change and evolve?
Each multi-cloud environment has its own unique characteristics Complex
Many organizations around the world are rapidly moving to cloud-hosted environments, and decommissioning their old data centers. Because each cloud has different requirements, their security architectures are more complex. Threat actors are also well aware that rapid migrations into colocation facilities and to the public cloud can lead to a lack of attack techniques and tools (think DDoS for hire, booters) to target weaknesses in inconsistent security policies.
This inconsistency can’t be avoided. Security controls (WAF/DDoS bot management, API Protection, etc.) cannot be ignored. Each environment is unique. Customers will end up with multiple security options as they try to reduce risk, improve performance, gain specific features, or reduce risk by spreading their workloads over multiple clouds. This increases the chance of misconfiguration and mismanagement, which is a leading cause for compromised data. The enterprise IT team must also deal with a fragmented and dispersed cloud-hosted infrastructure. This can lead to additional frustration and cost.
(If you think that you can avoid all this complexity by sticking to one solution, we believe this is a mistake. It is expensive and causes unnecessary performance issues and points for failure.
It is often difficult to troubleshoot multi-cloud environments. Many cloud-hosted IPs can be out of reach of enterprises, making them vulnerable to DDoS attacks. (Read more in our ebook DDoS Defense in a Hybrid Cloud World.)
Enterprises are best protected by taking control of cloud security, given the increasing number and severity of cyberattacks and the inevitable migration to hybrid and multi-cloud environments.
Combining CSP solutions together is less secure and costs more
You will need flexibility DDoS attack protection for hybrid architectures if your organization uses multiple public clouds providers. Security responsibility in public cloud environments can differ from provider to provider. False assumptions about who is responsible can expose you to enormous risk.
As you can see, the customer is ultimately responsible to ensure application security in the public clouds. AWS shares responsibility modelIt is similar to other public cloud providers. This responsibility includes DDoS protection but also covers higher-level security controls such as protecting against data exfiltration and hacking, as well as bots.
Although some security controls are provided by hyperscale cloud providers, not all of them are available. Although security lists, web application firewalls, API reputation, IP protection, bot management solutions, and security lists are all available to varying degrees, they are additional purchases that operate independently of each other. This click-to-add architecture is not a purpose-built security platform. It adds complexity, increases cloud costs and reduces security. Additionally, IT staff must spend more time managing security which adds to the overall cost.
With many internet-facing assets spread across multiple clouds, it is difficult for enterprises to integrate, deploy and manage DDoS defenses within each CSP environment. CSPs in-house DDoS mitigation solutions are often inadequate to meet the needs of enterprises.
- Reporting and visibility into events, before and after they happen. This includes post-attack analysis.
- A time-to-mitigate service level agreement (mostly offer service credits to the affected organisation after a breach or outage).
- Access to 24/7 global security operations center SOC support on-demand
Last but not least, proper support is essential to ensure business continuity as well as minimize impact. Many businesses don’t have access to the right support because it is becoming more difficult to fill security positions (and this is true in all regions).
How can you best protect multi-cloud and hybrid environments The edge.
Your cloud strategy should be empowered by your mitigation strategy and not at its mercy. Akamai’s purpose-built security solution protects your applications and stops malicious bots from reaching infrastructure and data centers. It provides four layers of protection in one platform, tailored to your web applications and internet-based services.
Edge defense: The Akamai Edge CDN delivers and speeds up web traffic using HTTPS protocol. Every Akamai Edge server functions as a reverse proxy. They forward legitimate HTTP/S traffic over ports 80 and 443, and drop all other traffic at their network edge. Every Akamai customer receives instant mitigation from all network-layer DDoS attacks in their web delivery. Edge-security solutions also have the advantage of not having to maintain a separate CDN. You also get out-of box egress savings through caching.
DNS defense: The same technology is applied to Akamais authoritative DNS server, Edge DNS. Edge DNS immediately drops all traffic on port 53. Akamai designed Edge DNS to be more resilient against DDoS attacks than other DNS solutions. It also features multiple redundancies at multiple levels including name servers, point of presence, and segmented IP anycast cloud.
Cloud scrubbing defense: Prolexic protects all data centers and internet-facing infrastructure against DDoS attacks via all ports and protocols. Prolexic allows us to route legitimate and malicious traffic through it, allowing us to build both positive security models and negative security models that can proactively and immediately mitigate DDoS attacks.
Human defenseThe Akamai Security Operations Command Center experts (SOCC), act as an extension to an enterprise’s incident response team to balance automation and human engagement. This Layer of defenseBusiness can reap the enormous benefits of:
- Proactive monitoring for behavioral anomalies to detect early threats
- Expertly crafted defense with scalable protection
- You can see and be more aware of emerging and existing threats so you can respond faster
- Enhanced security intelligence to address the increasing attack surface
Because scaling up is not required, responding at the edges reduces the actual cost of fighting DDoS attacks. Roll-yourself solutions (like a WAF AMI AWS or mod security-based solutions) run on compute Nodes. This means that the more severe the attack is, they have to scale it up. The costs will go up the more they scale up.
You think you are a low-risk target. Multi-cloud environments offer no such protection.
IDC estimates that DDoS attacks will increase at an 18% annual rate through 2023. This is a strong indicator that it is time for increased investment in mitigation controls. While some organizations may think they are low-risk targets for DDoS attacks, the AWS outage shows that everyone is at risk of experiencing downtime and reduced performance due to their increasing reliance on internet connectivity. Find out more Security at the edge.
Is your company able to make the lives of your customers easier through innovative digital experiences that are user-friendly? We want to hear all about it! Enter the Future of Life Online ChallengeFor your chance to win up $1 million worth Akamai cybersecurity or edge technology solutions,
About the author
Pavel Despot is the Senior Product Marketer for cloud at Akamais Edge Technology Group. He has more than 20 years experience in designing and deploying large-scale cloud solutions to financial institutions and global carriers. As Principal Solutions Engineer at Akamai he created secure and fault-tolerant cloud solutions. He holds two patents on mobile network design. He also served in leadership roles at the CTIA Wireless Internet Caucus as well as the CDMA Developers Group and the Interactive Advertising Bureau. Pavel lives in Boston.
Copyright © 2022 IDG Communications, Inc.